Advertisement

04.15.2008 at 10:05AM PDT, ID: 23324434
[x]
Attachment Details

Access Errors Oddities - Error 64 when accessing certain sites

Asked by prueconsulting in MS Internet Security & Accel, Enterprise Firewalls

Tags: Microsoft, ISA, 2006

Presently we have 2 Microsoft ISA 2006 Enterprise Servers running on Windows 2003 - All Patches are up to date on both machines. Running in a clustered configuration

Edge Mode ( 2 NICS)

1 Nic attaches to the internal LAN and the "external" NIC connects to a Cisco 3550 HA Pair of Switches in one of our DMZ's.

This DMZ is attached to a pair of Cisco 525 PIX's running 6.3.5 IOS connected to AT&T with standard T1s as the interface to the internet (4.5MB Connectivity). Link utilization is high sitting typically at 80-90% usage

Also connected to the DMZ Switch is a single Cisco PIX 515E running IOS 7.1 this is connected to a Microwave Based Internet Provider (15Mbs Connectivity)


The Default Gateway for the ISA Cluster ( Load Balancing on both front and back ) is pointing to the Virtual IP of the Cisco Switch which then determines the default route via OSPF.

If i have the default route pointing out the AT&T side of the fence everything works as expected if i adjust the route to make it go out the microwave then i get errors.


The errors only come when utilizing the Web Proxy. We are pushing the Web Proxy settings as an autodiscover GPO ( http://virutalisaserver:8080/array.dll?Get.Routing.Script)

If i by pass the Web Proxy and go out directly via the Pix 515 everything works as expected no errors.
If i browse the site from the ISA server itself without the Web Proxy enabled in IE it works ( well other than Ebay  , ebay still gives me the error 64 even on the server itself)

I have played with the MTU settings, I enabled PMTUDiscovery , BlackHole Detection and even manually set the MTU on the external NIC to 1400 no avail

DNS is configured on the ISA servers themselves with external domains pointing to the external ISP DNS and internal domains forwarding to internal DNS Servers.

One thing i have noticed when troubleshooting is the error seems to happen like so

Initial Request ISA01 , Login - ISA01 , Mail Message - ISA01 , Click on Inbox- ISA02 -ERROR 64

I am going to be putting the 515 Code level back to 6.35 to rule out a PIX issue since the configurations are practically identical other than the ips obviously and the IOS version.


Any other things i should be looking at ?

Rules in place force Authentication of users  ( Tried with All Users as well same errors)
So i dont think its a rule set issue

I need to get resolution for this before we can continue the rollout for all users.Start Free Trial
[+][-]04.16.2008 at 10:21AM PDT, ID: 21370017

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: MS Internet Security & Accel, Enterprise Firewalls
Tags: Microsoft, ISA, 2006
Sign Up Now!
Solution Provided By: prueconsulting
Participating Experts: 0
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628